Easy NAC: CGX Access Guide
1
EASY NAC CGX ACCESS DEPLOYMENT GUIDE
Installation and Configuration Guide
Easy NAC and CGX Access are trademarks of InfoExpress, Inc. Other product and service names are
trademarks and service marks of their respective owners.
www.infoexpress.com
www.easynac.com
V2.3
Easy NAC: CGX Access Guide
2
Contents Overview .................................................................................................................................................... 5
Appliance Licensing Options ................................................................................................................. 7
Appliance Specifications ........................................................................................................................ 7
VM installation .............................................................................................................................................. 8
Configuring CGX Access ............................................................................................................................ 12
Appliance Placement ................................................................................................................................ 12
Initial configuration .................................................................................................................................. 12
Basic IP configuration .......................................................................................................................... 12
Captive Portal IP Address .................................................................................................................... 14
Remediation Portal IP Address ............................................................................................................ 14
Connecting to Active Directory ........................................................................................................... 14
AD Integration ..................................................................................................................................... 15
Configuring Email and SMS Servers ................................................................................................... 17
Protecting Additional Subnets.................................................................................................................. 19
Adding Network Adapters ................................................................................................................... 19
Using 802.1q trunk ports ...................................................................................................................... 20
Additional 802.1q configuration in VMware ESX / ESXi .................................................................. 21
Additional 802.1q configuration in Hyper-V server ............................................................................ 22
Enforcement Overview ............................................................................................................................ 28
Configuring Access Policies .................................................................................................................... 29
Device Classification Policies .............................................................................................................. 29
Access Control Lists ............................................................................................................................ 31
ACL Syntax .......................................................................................................................................... 32
Flagging Devices and Whitelisting .......................................................................................................... 35
Flags ..................................................................................................................................................... 36
Whitelisting \ Blacklisting ................................................................................................................... 37
Anti-spoofing Protection .......................................................................................................................... 39
Setting Fingerprints .............................................................................................................................. 39
MAC Spoofing Detection .................................................................................................................... 41
Rogue DHCP Server Detection ............................................................................................................ 41
Time \ Location \ List Policies ................................................................................................................. 43
Location Policy .................................................................................................................................... 43
Time Policy .......................................................................................................................................... 43
Device-Lists Policy .............................................................................................................................. 45
Configuring Guest Access ........................................................................................................................... 46
Easy NAC: CGX Access Guide
3
Customize Captive Portal ......................................................................................................................... 46
Customize Guest Portal ............................................................................................................................ 46
Guest Registration Methods ..................................................................................................................... 47
Customizing Device Registration for Guests ........................................................................................... 48
Setting up Sponsors .................................................................................................................................. 49
Sponsoring Users ..................................................................................................................................... 51
Configuring Device Registration ................................................................................................................. 52
Customizing the Device Registration portal ............................................................................................ 52
Confirm Active Directory settings ........................................................................................................... 52
Customizing Device Registration Methods ............................................................................................. 54
User Experience ....................................................................................................................................... 56
Integration: Anti-Virus \ Endpoint Management ......................................................................................... 57
Sophos Enterprise Console Integration .................................................................................................... 58
McAfee ePolicy Orchestrator Integration ................................................................................................ 60
Symantec Endpoint Protection Manager - 12.x ....................................................................................... 62
Symantec Endpoint Protection Manager - 14.x ....................................................................................... 68
Trend Micro OfficeScan Integration ........................................................................................................ 70
Kaspersky Antivirus Integration .............................................................................................................. 73
Microsoft SCCM \ WSUS Integration ..................................................................................................... 76
IBM BigFix Integration ........................................................................................................................... 79
Moscii StarCat Integration ....................................................................................................................... 81
Carbon Black Cb Response Integration ................................................................................................... 84
Automated Threat Response with Syslog .................................................................................................... 88
Syslog Event Creation .............................................................................................................................. 89
Automated Threat Response - Email Alerts................................................................................................. 91
Email Event Creation ............................................................................................................................... 92
Advanced Configuration Options ................................................................................................................ 94
Administration Permissions ..................................................................................................................... 94
Customizing Landing Pages ..................................................................................................................... 96
Central Visibility Manager ........................................................................................................................... 98
CVM Overview ........................................................................................................................................ 98
Configuring a Central Visibility Manager ............................................................................................... 98
Configuring a Remote CGX Access Appliance ..................................................................................... 102
Deployment Manager ............................................................................................................................. 103
Maintenance and Support ........................................................................................................................... 105
Upgrading firmware ............................................................................................................................... 105
Easy NAC: CGX Access Guide
4
Disclaimer
The information in this document is subject to change without notice. The statements, configurations,
technical data and recommendations in this document are believed to be accurate and reliable, but are
represented without express or implied warranty. Users must take full responsibility for their applications
of any products specified in this document.
This document is provided for your use to help understand the behavior of the product.
Although the information is believed to be substantially accurate at the time that it was written, this
document doesn’t imply that specific features or functionality are present in your version of the product.
InfoExpress Inc. makes no express or implied warranties regarding the product’s features or behavior as
described herein. For product specifications, please refer to the product documentation included with
product installation.
The software described in this document is furnished under a license agreement and may be used only in
accordance with the terms of that license.
Products that are referred to in this document may be either trademarks and/or registered trademarks of
the respective owners.
The information in this document is proprietary to InfoExpress Inc.
Easy NAC: CGX Access Guide
5
Easy NAC Solution
Overview
The CGX Access solution provides the following features:
Agentless Visibility CGX Access lets you see devices that join your network, without the use of agents. Visibility is
immediate, with any untrusted device being immediately restricted, as desired. Devices will be both
passively and actively profiled to determine operating system, manufacturer, and type of device.
Easy to Implement Enforcement CGX Access uses ARP enforcement and HTTP redirection to control which devices can access the
network. ARP enforcement is an out-of-band enforcement method that doesn’t require network changes.
It works with any network infrastructure, both managed and unmanaged switches.
Simple LAN \ WLAN Protection It is easy to control which devices are allowed to access the network. Untrusted devices and rogue
infrastructure that joins the network will immediately be detected and automatically restricted in real-
time. Devices can be allowed access with simple ON \ OFF controls or policies can be set for automated
access.
Automated MAC Address Whitelisting CGX Access will regularly check with your Active Directory server to verify which devices are domain-
joined. Devices that are confirmed as domain-joined will automatically be granted full access to the
network. Devices that are not domain joined can be manually flagged as approved. In addition, device
profiling can also be used to automate the process of flagging approved devices.
Anti-Spoofing Protection CGX Access provides a fingerprint feature to protect against MAC address spoofing. All devices on the
network are profiled for their MAC address, IP, Operating System, and Hostname. This information can
then be used to set a unique fingerprint for each device. Once a fingerprint has been set, the device(s) will
be protected from spoofing.
Enforce Anti-Virus and Security Policies CGX Access integrates with enterprise Anti-Virus vendors and leading endpoint management solutions,
to verify endpoint security is active and up-to-date. By integrating with leading security solutions, CGX
Access can enforce compliance with security policies. Devices out-of-compliance can be restricted at the
point of network access.
Easy NAC: CGX Access Guide
6
Automated Threat Response Security appliances that are designed to monitor devices and network traffic can send event-based alerts
for administrative action. CGX Access can receive e-mail alerts or event-based syslog messages from
Firewalls, APT, IPS, SIEM, and many other types of security devices and then take immediate action
when necessary. If CGX Access receives an alert that a device has malware, we can restrict it
immediately.
BYOD Registration CGX Access provides a self-registration portal to automate the BYOD registration process. Policies can
be set, by groups, to limit the number and type of BYOD devices. It improves security by tracking device
ownership, restricting the locations, and limiting network access to approved resources.
Guest Access CGX Access lets sponsors register guest accounts or authorize guests to create their own accounts via the
landing page. Sponsors can authorize individual registrations or register groups for classes or meetings
with configurable expiration times.
Easy NAC: CGX Access Guide
7
Role-based Access Control CGX Access enhances security by limiting devices to only the resources required. Guests are limited to
internet only access. BYOD and consultant devices can be limited to specific resources.
Appliance Licensing Options
CGX Access is available as an appliance, mini-appliance or as a virtual appliance. Licensing is based on
the number of devices that CGX Access solution has visibility of. When using the Central Visibility
Manager, a distributed license option will enable a license to be shared between multiple appliances.
Please contact your authorized partner or InfoExpress for up-to-date information on licensing.
Appliance Specifications
Appliance Specifications Access Mini CGXA-S10
Access 100 CGXA-S100
Access VM CGXA-V50
Access VM CGXA-V100
Access VM CGXA-V200
Scalability
Maximum Devices 300* 2500* 2,500* 5,000* 10,000*
Maximum Subnets 10 100 50 100 >200*
Number of Ports 4 6 10 virtual adapters
10 virtual adapters
10 virtual adapters
Easy NAC: CGX Access Guide
8
VM installation
Installing on ESX or ESXi server
The virtual CGX Access appliance can be deployed as an .ovf template native to VMWare. You will need
the CGX Access .ovf image, which is usually provided as a zip file. Please contact InfoExpress or your
business partner to obtain this file.
• Unzip the provided file to a location accessible to the vSphere client application.
• In the VMWare vSphere Client, choose File - Deploy OVF Template
• On the first screen, select the .ovf file
• Click next on the OVF Template Details screen. (There may be a warning screen here, but you can
proceed).
• Provide a name and optionally a location for the template and click 'Next'
• Select the datastore where the virtual machine files should be kept and click 'Next'
• Select the desired format for your installation and click 'Next'
• Select the desired network mapping for the interfaces and click 'Next'
• Verify the options and click 'Finish' when ready to proceed
• The vSphere client will then proceed to deploy the image.
Easy NAC: CGX Access Guide
9
Installing on Hyper-V server
The virtual CGX Access appliance can be deployed using Hyper-V Manager, Windows Server 2012 R2
and above only. The CGX Access Hyper-V image is usually provided as a zip file. Please contact
InfoExpress or your business partner to obtain this file.
• Unzip the provided file to a location accessible to the Hyper-V Manager.
• In the Hyper-V Manager, Click Action menu and select Import Virtual Machine
• On the first screen, Specify the folder of extracted image and click next
• Select the listed virtual machine ‘CGX-Access-2.3’. Click next.
• Choose Import type as ‘copy the virtual machine (create a unique ID)’
• Click Next and specify the Destination folders for different settings
Easy NAC: CGX Access Guide
10
• Select the Virtual Hard Disk destination folder in the next screen.
• Verify the options on Summary page and click 'Finish' when ready to proceed.
• The Wizard will then proceed to deploy the image.
• The Virtual Machine will be listed in Hyper-V Manager.
• Select the virtual machine ‘CGX-Access-2.3’ and click ‘Settings’ from ‘Action’ menu.
Easy NAC: CGX Access Guide
11
• Select the Network Adapter and assign a Virtual switch from the right-side drop-down box as
highlighted below and Apply the setting.
Easy NAC: CGX Access Guide
12
Configuring CGX Access
This section will walk the administrator through the steps needed to configure a CGX Access appliance.
Appliance Placement
CGX Access provides protection \ access control on the subnets it is attached to with layer-2 visibility.
Each CGX Access appliance can protects up to 100 VLANs concurrently with the use of 802.1q trunk
ports. The Managed IP interface is the primary interface and is used for appliance management. The
CGX Access appliance should be able to communicate with the AD server via the Managed IP.
For simple one subnet deployments or testing, the Managed IP should therefore be on a subnet you wish
to enforce access control on. To support multiple VLANs, additional network interfaces or trunk ports
can be used.
Initial configuration
CGX Access typically requires two IP addresses in a single subnet deployment. One IP is used for
management of CGX Access appliance and another IP is used for the captive portal (landing page). When
protecting additional VLANs, each additional subnet protected will also require one IP on its respective
subnet. For example, when protecting four subnets, a total of five IPs will be used.
Note: The CGX Access appliance provides built-in ARP-based enforcement. Enforcement can be enabled
on up-to 100 VLANs, including the subnet with the Managed IP.
Basic IP configuration
• For physical appliances either plug in a keyboard and HDMI monitor or attach 9 pin serial cable to
the serial console port and power on the physical appliance.
• For virtual appliances open a console window and power on the VM.
Easy NAC: CGX Access Guide
13
Once the boot cycle is complete you will be prompted for a login.
• Login as admin/admin.
• From the main menu choose 1 (Run setup wizard) and follow the prompts to set the Managed IP
address and netmask, the default gateway, DNS servers, system name, time zone and date/time.
Note: Keep the admin password in a safe place. If it is lost without having access to an alternate admin
level account there will be no way to recover the password.
Default user accounts are:
• admin - used for initial setup and configuration as well as ssh access for maintenance tasks
• cguser - used for uploading files through ftp
The default passwords are the same as the user name
When the setup wizard completes, the system should be accessible on the network.
• Confirm that you can ping the management IP from another system on the same subnet and also
from a system on another subnet. If the pings do not succeed double check the physical or virtual
connections and the basic IP configuration
• Connect to the CGX Access web GUI by opening https://<Managed ip> (that was configured
previously). Compatible browsers include:
o Internet Explorer 9 or higher
o Firefox v27 or higher
o Chrome Version 22 or higher
o Safari v7 or higher
• Login as user admin (default password admin). A modern browser such as Chrome is strongly
recommended. Older versions of IE or Firefox may not display the pages correctly.
Easy NAC: CGX Access Guide
14
Captive Portal IP Address
A separate IP address will be used for the Captive Portal \ Landing pages. To configure this IP address…
• In CGX Access GUI go to Configuration → Appliance Settings
• Provide IP and subnet mask in the field provide
Remediation Portal IP Address
An additional static IP and be assigned to an optional Remediation Portal. When Configured, the non-
complaint endpoints can be redirected to this page, so they are aware their device is restricted and know
the reason why. The redirection can be enabled via the ACL’s.
To Configure a Remediation Portal IP, use the same steps as above.
Connecting to Active Directory
Authentication credentials are often stored in an Active Directory server. Active Directory can be used to
validate credentials with the following CGX Access features:
• Employee Device Registration (see Configuring Device Registration)
• Sponsoring Guest accounts (see Configuring Guest Access)
• Permissions for administrators to access the management GUI (see Advance
Configuration)
Configure Active Directory server settings on CGX Access
• In CGX Access admin UI go to Configuration → General Settings.
• Click on Servers:
Easy NAC: CGX Access Guide
15
• Under "Active Directory Server", enter the host or IP address of the AD domain controller and the
Account suffix in the "Account Suffix" field. A user Name and Password is often required.
• Use the “Test LDAP connection” button to test the settings
Note: the @ symbol should be included in the Account Suffix
Note: up to 10 AD servers can be configured
AD Integration
Tip: For faster deployment, AD integration can be enabled. When enabled, devices joined to the domain
will be flagged as AD-managed, and automatically granted full access to the network.
• In CGX Access admin UI go to Configuration → Integration
• Click on Active Directory Integration
Easy NAC: CGX Access Guide
16
• Check “Enable Integration”
• Check “Flag device if is AD-managed”
• DNS can sometimes be useful to increase the number of devices flagged as AD-managed.
However, if DNS information is stale, it can lead to false positives.
Note: In some cases, AD computer objects may be stored in a non-default OU. In these cases, it may be
necessary to adjust the OUs that need to be queried. Custom OUs can be specified in the Active Directory
Server section under Configuration → General Settings
For Example, an Active Directory of domain CGX.ACCESS has an OU called “USA” and computer
accounts for the OU is stored under “Computers”. The custom OU query should look like
CN=Computers, CN=USA
Easy NAC: CGX Access Guide
17
Configuring Email and SMS Servers
CGX Access can send notification emails and SMS messages when certain events occur. These event
triggers are configured with device classifications and monitoring rules (covered in another section), or
for guest registration.
To configure the email and SMS servers used by CGX Access:
• Go to Configuration → General Settings and click on the “Servers” section.
• Select appropriate tab
• Enter the needed information and click 'Save'.
• The Inbound Mail Server is for use with Firewall \ APT integrations with E-mail – See Page 82
Easy NAC: CGX Access Guide
18
• Go to Configuration → General Settings and click on the “Contact Information for Notifications”
section.
• Fill in the info for at least one administrative contact that should get notified when triggering
conditions occur
Notifications can be configured and triggered using Device Classification policies, Monitoring policies, or
Device Profiling policies. Different actions are available when a condition is detected:
Easy NAC: CGX Access Guide
19
Protecting Additional Subnets
With the use of ARP enforcement, CGX Access requires layer-2 visibility of ARP broadcast traffic to
detect and restrict devices. There are two methods that can be used to extend visibility to multiple subnets.
• Method 1 – Physical connection: Add additional network adapter and plug-in to a normal switch
access port to extend protection to additional subnet. The physical appliances support up-to 6
adapters and the virtual appliance can support up to 10 adapters.
• Method 2 – 802.1q trunk: Use 802.1q trunk ports so multiple VLANs can be protected with just
one or more adapters. With the use of trunk ports up to 200 VLANs can be protected. 10 - 20
VLANs per adapter is recommended. Multiple adapters are recommended if there is extensive
traffic from devices being restricted with ACLs.
o Virtual CGX Access appliances also supports 802.1q. Please note that additional
configuration in the ESX/ESXi server would be required.
Adding Network Adapters
If using VMware, the virtual appliance is pre-configured with 10 virtual adapters. To configure adapters
inside the virtual appliance, go to:
• In CGX Access GUI go to Configuration → Appliance Settings
• Select the method the IP address will be assigned to the adapter
• Complete IP address information if a static IP address will be used. DHCP can also be used.
• To confirm the network changes, click the Submit button
Easy NAC: CGX Access Guide
20
Note: When adding adapters to the CGX Access virtual appliance, the adapter must first be provisioned
within the VMware host and then connected to the virtual appliance.
Using 802.1q trunk ports
If the network is configured to support VLAN trunking, then adding additional VLANs is simple.
Note: One or more adapters connected to the CGX Access appliance must be attached to a switch port(s)
configured as a trunk port.
• In CGX Access GUI go to Configuration → Appliance Settings
• Click “Add VLAN” button on the adapter attached to a trunk port
• Complete VLAN ID and IP address information. Static IP addresses or DHCP can be used.
Easy NAC: CGX Access Guide
21
• To confirm the network changes, click the Submit button…
Note: One or more adapters connected to the CGX Access appliance must be attached to a switch
port(s) configured as a trunk port.
Additional 802.1q configuration in VMware ESX / ESXi
In order for CGX Access virtual appliances to support the 802.1q, a port group that supports
802.1q VLAN tagging is needed. To configure it in your VMware virtual switch in ESX/ESXi,
please follows the steps below:
1. Edit host networking
2. Navigate to Host → Configuration → Networking → vSwitch → Properties.
3. Click Ports → Portgroup → Edit.
4. Click the General tab.
5. Set the VLAN ID to All (4095) to trunked all VLANs.
6. Click OK
Easy NAC: CGX Access Guide
22
7. Assign the CGX-Access virtual appliance to use the Trunk Port created as in follows:
The physical network adapter would be required to connect to the trunk port on the physical
networking switch.
Additional 802.1q configuration in Hyper-V server
In order for CGX Access virtual appliances to support the 802.1q, Hyper-V’s network adapters should be
configured to tag frames. To enable trunking, some commands need to be entered from Windows
PowerShell. The following screenshots show pre-requisite configuration.
• Hyper-V physical network adapter should support 802.1q tagging
• Switch port on which CGX Access trunk port is connected should support 802.1q tagging.
• From Virtual switch manager, configure virtual switch as “External Network”
Easy NAC: CGX Access Guide
23
• Select VM CGX-Access-2.3 (or vmname) and from right hand pane, click on settings. Assign
virtual switch to the network adapter on CGX Access.
Easy NAC: CGX Access Guide
24
• Start Windows PowerShell and enter following command to configure “Network Adapter 1” as
trunk port with allowed vlans 0,2,3,5,100 and Native Vlan as 0 (1 on cisco)
Set-VMNetworkAdaptervlan -VMName CGX-Access-2.3 -VMNetworkAdapterName "Network Adapter 1"
-Trunk -AllowedVlanIdList "0,2,3,5,100" -NativeVlanId 0
• To verify enter following command.
Get-VMNetworkAdaptervlan -VMName CGX-Access-2.3
Easy NAC: CGX Access Guide
25
Configuration required on Switch port. (cisco switch configuration used in example)
In this example, we will allow vlans 2,3,5,100 with native vlan 1 (Cisco vlan1 = HyperV-vlan0)
Switch#configure terminal
Switch(config)#interface fastEthernet 0/3
Switch(config-if)#switchport trunk encapsulation dot1q
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk allowed vlan 2,3,5,100
Switch(config-if)#switchport trunk native vlan 2 [in case you want a native vlan other than 1]
Switch(config-if)#exit
Configuring CGX Access Network adapters with Vlans
• Start CGX Access VM
• In CGX Access GUI go to Configuration → Appliance Settings
• Click “Add VLAN” button on the adapter attached to a trunk port
Easy NAC: CGX Access Guide
26
• Complete VLAN ID and IP address information. Static IP addresses or DHCP can be used.
• Repeat above step for adding more Vlans then click on submit
Easy NAC: CGX Access Guide
27
• If DHCP is configured, you should see IP address assignments to Vlan NICs
Easy NAC: CGX Access Guide
28
Enforcement Overview
CGX Access uses ARP enforcement to restrict access with landing page redirection. The use of ARP
enforcement greatly simplifies the deployment of CGX Access, as no network changes are required. ARP
enforcement is also used to provide role-based control. To provide role-based control, CGX Access
supports six default Access Groups: restricted, limited, full-access, guest-access, consultant, and byod-
access. Each access group will have a configurable ACL to allow for the role-base control to be
customized.
By default, subnets are placed in monitoring mode. It is recommended that the basic setup be completed,
ACLs fine-tuned, integrations enabled, and white-listing of devices be performed before enabling
enforcement. When one or more subnets are in monitoring mode a status message is clearly visible across
the top of the management console.
When ready, enforcement can be enabled in the Network Map. Enforcement can be delayed a few minutes
when first enabled.
• Go to NAC → Network Map
Note: VRRP and HSRP Redundancy
For CGX Access to function properly, it needs to know the MAC/IP of routers/gateways on the
subnet. In case VRRP or HSRP is used, it is required that router's virtual and actual MAC addresses
be configured in the "routerlist" under subnet configuration in "Network Map".
• Go to NAC → Network Map
• Find the desired subnet and click on the “Show Configuration” link
Easy NAC: CGX Access Guide
29
Configuring Access Policies
CGX Access includes default access groups. Customized access groups can also be configured. The
defaults are:
1. restricted (with redirection to captive portal)
2. full-access (complete access)
3. guest-access (default is internet only)
4. byod-access (full access by default, but can be changed to limit access to internal resources)
5. consultant (full access by default, but can be changed to limit access to internal resources)
6. limited (full access by default but can be changed. This access group is recommended for
remediation purposes, but can be used for a variety of use-cases)
7. Restrict-FB – Provides access to Facebook while restricted to enable Guest Access authentication
using Facebook credentials.
8. Restrict-Azure - Provides access to Microsoft while restricted to enable BYOD authentication
using MS Azure credentials.
Each access group has a customizable ACL associated with it. Every device joining a protected subnet
will be assigned an access group. Restricted access is the default for new and untrusted devices.
Access Groups are assigned in a two-step process where conditions are first evaluated in the Device
Classification Policy so a role can be assigned. Second, roles are then assigned one of the six access
groups.
Device Classification Policies
In CGX Access admin UI:
• Go to Policies → Device & Role Classification.
CGX Access has a set of preconfigured device classification rules which will address typical
requirements, but can be modified to suit unique needs.
Easy NAC: CGX Access Guide
30
The classification rules are evaluated top-down. The device role is assigned by the first rule with
matching conditions. Other allowable actions such as sending a notification will be executed by all rules
that have matching conditions.
Rules can be arranged in the desired order by dragging rules up or down in the list as required. If a device
does not match all the conditions in any rule, then the device will be assigned the Untrusted Role which is
restricted by default.
If changes are made, click the “Activate” button for the changes to take effect.
Roles & Access Policy
In CGX Access admin UI:
• Go to Policies → Roles & Access
CGX Access has a set of preconfigured Roles & Access policies which will address most customer
requirements but can be modified if necessary.
Easy NAC: CGX Access Guide
31
In the default Roles & Access policies above, notice how both restricted role and untrusted role would be
assigned the restricted access group. For management and reporting purposes, it can sometimes be
helpful to setup up multiple roles even if these different roles get the same access group.
It is also possible to set time and locations when access groups would be assigned. One example of how
this would be helpful is with guest access. It is possible to configure the guest role to only be assigned
during office hours and from approved locations. Time and locations must be first be defined to use this
feature. To define time and locations go to Policies → Time/Location/List
If changes are made, click the “Activate” button for the changes to take effect.
Access Control Lists
Each of the access groups has a customizable ACL that is associated with it.
In CGX Access admin UI:
• Go to NAC → ACLs
Easy NAC: CGX Access Guide
32
To make changes to any of the ACLs, click on the access group you would like to change, and edit the
ACL in the dialog box.
The above restricted ACL allows DNS and DHCP traffic. It will automatically redirect http traffic to the
CGX Access landing page. All other traffic is denied.
ACL Syntax
Each ACL rule has the following syntax:
<ACTION> WHEN <CONDITION>
<ACTION> can be one of the followings:
• ALLOW
Means the packet will be allowed to pass if <CONDITION> matches
• DENY
Means the packet will be blocked if <CONDITION> matches
• HTTPREDIRECT <url>
Means the packet will be modified with HTTP <url> redirection content inserted when
<CONDITION> matches
Easy NAC: CGX Access Guide
33
<CONDITION> is a <SIMPLE-CONDITION>
or any combination of <SIMPLE-CONDITION> using parenthesis and AND|OR OPERATORs.
<SIMPLE-CONDITION> can be one of the followings:
• ETHTYPE <OPERATOR> <type>
Check for packet Ethernet type, <type> can be one of these strings: IP, ARP
• DIRECTION <OPERATOR> <direction>
Check for packet direction, <direction> can be one of these strings: IN, OUT
Packets can be captured in both directions:
IN direction means the packet flows from the protected to the rogue
OUT direction means the packet flows from the rogue to the protected
• PROTO <OPERATOR> <proto>
Check for IP protocol type. <proto> can be one of these strings: ICMP, TCP, UDP, IGMP
• LOCALPORT <OPERATOR> <no>
Check for TCP/UDP port against the number <no> in the case of IP/TCP/UDP packet.
This is always the port on rogue.
• REMOTEPORT <OPERATOR> <no>
Check for TCP/UDP port against the number <no> in the case of IP/TCP/UDP packet.
This is the destination port for outgoing packet and source port for incoming packet.
• PORT <OPERATOR> <no>
Check for TCP/UDP port against the number <no> in the case of IP/TCP/UDP packet.
This is the destination port for outgoing packet and source port for incoming packet.
• LOCALADDR <OPERATOR> <addr_or_subnet>
Check for IPv4 address or subnet against string <addr_or_subnet>.
This is always the IP address on rogue.
• REMOTEADDR <OPERATOR> <addr_or_subnet>
Check for IPv4 address or subnet against string <addr_or_subnet>.
This is the destination IP address for outgoing packet and source IP address for incoming packet
• ADDR <OPERATOR> <addr_or_subnet>
Easy NAC: CGX Access Guide
34
Check for IPv4 address or subnet against string <addr_or_subnet>.
This is the destination IP address for outgoing packet and source IP address for incoming packet
• TRUE
This condition is always true
• FALSE
This condition is always false
<OPERATOR> can be ==, != for strings and ==, !=, >, <, <=, >= for numbers.
Also, ! prefix-OPERATOR can be used to negate the [SIMPLE-CONDITION], like this:
!(PROTO=='TCP')
<addr_or_subnet> can contain IP-address range, like '192.168.0.1-192.168.0.100'
All strings should be quoted using single-quotes: 'example'
ACL Examples:
> ALLOW WHEN TRUE
Allows all the traffic.
> DENY WHEN TRUE
Blocks all the traffic.
> ALLOW WHEN PROTO=='TCP' AND PORT==80
Allows HTTP traffic to flow.
> ALLOW WHEN (PROTO=='UDP' OR PROTO=='TCP') AND PORT==53 AND
ADDR=='192.168.0.0/24'
Allows DNS traffic coming from the 192.168.0.0/24 subnet.
> HTTPREDIRECT https://company.com WHEN PROTO=='TCP' AND (PORT==80 OR PORT==443)
Redirects all the HTTP traffic to 'https://company.com' URL.
> ALLOW WHEN (PROTO=='TCP' OR PROTO=='UDP') AND LOCALPORT==3389
Allows RDP(mstsc) access on rogue endpoint. LOCALPORT is used to specify port on rogue.
>ALLOW WHEN PROTO=='TCP' AND LOCALPORT==3389 AND LOCALADDR=='192.168.10.20'
Allows Remote desktop to only one rogue 192.168.10.20 from all protected end points
>ALLOW WHEN PROTO=='TCP' AND PORT==3389 AND ADDR=='10.20.0.3'
Allows Remote desktop to protected end point 10.20.0.3 from all rogues
>ALLOW WHEN PROTO=='TCP' AND LOCALPORT==3389 AND LOCALADDR=='192.168.10.20'
AND REMOTEADDR=='192.168.10.16'
Allow Remote desktop to rogue 192.168.10.20 from protected end point 192.168.10.16
Easy NAC: CGX Access Guide
35
>ALLOW WHEN PROTO=='TCP' AND (PORT==20 OR PORT==21) AND ADDR=='10.20.0.5'
Allow FTP from rogues to FTP server 10.20.0.5
> HTTPREDIRECT(LANDING_A)
The above is a special truncated syntax for HTTPREDIRECT rule which supports CGX landing pages
automatically. This redirection URL will automatically use the CGX Landing page [A] IP.
Flagging Devices and Whitelisting
In NAC deployments, it is a common requirement to grant access (whitelist) specific devices that are not
normally registered by end-users. Typical examples include: printers, network infrastructure, VoIP
phones and other types of devices.
An easy way to grant access is by using the concept of Flagging. The CGX Access solution supports the
ability for administrators to create and set flags on specific devices. Then using device classification
policies, devices with specific flags can be granted full-access, blacklisted or assigned some other access.
By default, devices with any of these flags: network-infrastructure, router, switch, AD-Managed, AV-
Managed, managed-device, full-access, and printer, will automatically be granted full-access. This list
can be modified to address unique requirements.
CGX Access automates the process of flagging. The CGX Access solution will automatically flag a
device based on the results of device profiling. If CGX detects that a device is a printer, it will flag the
device as a printer. If using the default Device Classification Policy, the printer would then be granted
full-access. The same is true for network infrastructure like switches and routers.
Easy NAC: CGX Access Guide
36
Flags
CGX Access supports two types of flags, User Defined Flags and Reserved Flags. User Defined Flags can
be created and changed as required. The Reserved Flags are set automatically by the CGX Access device
profiling system and cannot be deleted.
• Go to Configuration → General Settings - Click on “Names Used by Policies”:
These two types of flags can be leveraged to address many unique requirements. For example, if printers
need to be physically checked before access is granted. Then a policy can be set to send an alert to the
administrator when a device was automatically flagged as a printer shows up on the network. Once the
printer has been inspected, the administrator can then assign a User Defined Flag, i.e., approved-printer,
which would allow it access to the network.
Setting Flags
Flags can be manually assigned to devices via the Device Manager.
• Go to Visibility → Device Manager
If the list of devices is long, show the Report Filters at the top of the screen to narrow down the
results.
Setting the flags manually can be done for one or more devices in a few steps.
• 1. Select the device(s) where a flag is desired
• 2. Select the action → Add flag to selected device(s) → Select Flag
Easy NAC: CGX Access Guide
37
• 3. Click Apply to selected devices
Whitelisting \ Blacklisting
CGX Access also supports adding a device(s) to a manual whitelist or blacklist. The examples below will
assume whitelisting, but blacklisting works the same way.
In the Network Map, devices can be added by MAC Address or IP Address to the global whitelist or to a
whitelist specific to a subnet. If entered into the Default Configuration, the whitelisting would be
configured for all subnets. When adding devices to the Default Configuration, it’s best to use MAC
addresses, so it can be relevant to all subnets.
• Go to NAC → Network Map → Show Configuration
The Network Map can also be used to configure IP addresses or MAC addresses that should only be
whitelisted on specific subnets.
• Go to NAC → Network Map
• Find the desired subnet and click on the “Show Configuration” link
Easy NAC: CGX Access Guide
38
Once the “Show Configuration” link has been clicked, the view will expand to show the Whitelist
box specific to this subnet. Both IP Addresses and MAC Addresses can be added.
Adding Devices to the Whitelist or Blacklist
For quick additions to the Whitelist or Blacklist you can click the ON | OFF controls in the Device
Manager. ON is the technical equivalent of being on the Whitelist, while OFF is the equivalent of being
on the Blacklist. Auto means access is set automatically following the policies defined under Device and
Role Classification.
When adding multiple devices to the whitelist it can be convenient to add devices via the Device
Manager.
• 1. Select the device(s) to be whitelisted
• 2. Select the action → Add to list → Select whitelist
• 3. Click Apply to selected devices
Easy NAC: CGX Access Guide
39
Note: Devices that are in the whitelist will be shown as ON. Devices in the blacklist will be shown as
OFF. Their respective list will also be shown in the Flags / Lists column.
Anti-spoofing Protection
When using MAC-based authentication on the network, MAC address spoofing can be a concern, as it is
easy to change a MAC address. CGX Access provides a fingerprint feature to protect against MAC
address spoofing. All devices on the network are profiled for their MAC address, IP, Operating System,
and Hostname). This information can then be used to set a unique fingerprint for the device. Once a
fingerprint has been set, the device(s) will be protected from spoofing. For example, a printer can include
the host name and printer as its OS type. If a Windows, Apple or Linux device tries to spoof its MAC
address, the spoof would be detected and the device can be restricted.
Setting Fingerprints
Fingerprints can be set using the Device Manager
• 1. Select the device or devices where a fingerprint is desired
• 2. Select the action → Set Fingerprint
• 3. Click Apply to selected devices
Easy NAC: CGX Access Guide
40
• 4. Confirm details to be included in the fingerprint → Save
Devices with set fingerprints will have a blue fingerprint icon displayed in the Device manager. Clicking
on the fingerprint will show the information include in its unique fingerprint.
Tip: The gray fingerprint icon can be clicked to set quickly set a fingerprint.
Easy NAC: CGX Access Guide
41
MAC Spoofing Detection
Once a fingerprint has been set, any changes in the fingerprint details will causes a mismatch and actions
can be taken. In the example below, a Windows XP device had spoofed the MAC address of the printer.
Since the Operating System and the host name didn’t match the fingerprint. The fingerprint icon was
changed to red and device was assigned a FP- mismatched flag so actions can be taken.
Using Policies → Device & Role Classification rules, actions can be taken when a FP-mismatched is
detected. The policy below shows the device will be assigned a restricted role and alerts will be sent to the
network administrators.
Tip: The Fingerprint feature can be used in static IP environments to lock the IP \ MAC combinations to
quickly detect and alleviate IP conflicts.
Rogue DHCP Server Detection
With personal Wi-Fi routers and misconfigured virtual machines, it is not uncommon for rogue DHCP
servers to show up on the network. CGX Access can be configured to detect rogue DHCP servers, so
they can be quickly identified and removed from the network.
Easy NAC: CGX Access Guide
42
• Go to Configuration → General Settings.
• Click on Servers:
• Under DHCP Servers, input the IP addresses of all the authorized DHCP servers on the network.
• Select “Detect rogue DHCP servers”
Note: Any DHCP server not on the authorized IP list will be flagged as DHCP-rogue.
Using Policies → Device & Role Classification rules, actions can be taken when DHCP-rogue is
detected. The policy below shows the device will be assigned a restricted role and alerts will be sent to
the network administrators.
Easy NAC: CGX Access Guide
43
Time \ Location \ List Policies
At times it can be useful to use time, location or lists of IP addresses to help determine what access should
be granted. For example, the default settings will allow guests to access the internet at any time, and from
any part of the network. If we wanted to limited where and when they can access the internet, we can use
the Location and Time Policies.
Location Policy
• Go to Policies → Time/Location/List and click on Location-policy. Location definitions can be
based on IP addresses.
Once the Location name has been saved, it can now be added as a condition for Guest Access in the
Device & Role Classification Policy.
• Go to Policies → Device & Role Classifications
The above Device Classification Policy now has two conditions in order for guest access to be granted. If
we wanted to limited access to office hours, we could set a third condition based on time.
Time Policy
• Go to Policies → Time/Location/List and click on Time-policy.
Easy NAC: CGX Access Guide
44
Time definitions can be adjusted or new ones created. Below is an example of how work hours might be
defined as:
Once the Time Period name has been saved, it can now be added as a condition in a Device & Roles
Classification Policy.
• Go to Policies → Device & Role Classifications
Easy NAC: CGX Access Guide
45
The above Device & Role Classification Policy now has three conditions in order for guest access to
be granted.
Device-Lists Policy
Device-Lists Policies provides an easy method to define a list of IP addresses or MAC addresses to help
determine what access should be granted. It is commonly used to define a group of IP address that needs
to be whitelisted.
• Go to Policies → Time/Location/List and click on Device-lists.
Device Lists can be adjusted or new ones created. Below is an example of how to create a device list for
a server farm using IP addresses:
Once the Device-List has been saved, it can now be added as a condition in a Device & Role
Classification Policy.
• Go to Policies → Device & Role Classifications
Easy NAC: CGX Access Guide
46
The above Device & Role Classification Policy will assign the Server Farm to have full-access.
Configuring Guest Access
CGX Access lets sponsors register guest accounts or sponsors can authorize guests to create their own
accounts. Sponsors can authorize individual registrations or register groups for classes or meetings with
configurable expiration times. Guest Access is a standard feature that is enabled by default, but a few
steps are recommended to customize or enhance the guest experience.
Customize Captive Portal
• Go to Configuration → General Settings and click on “Site Information”:
Adjust the Company Title, Welcome Page Title and any other details desired.
Customize Guest Portal
Go to Configuration → General Settings and click on “Guest Registration”:
Easy NAC: CGX Access Guide
47
• Edit the title and message boxes as desired.
• Enable or disable terms and conditions
• Enter an email address used as sender address and optionally one or more addresses that will be
BCC’d on guest registration emails
• Set the number of days to keep guest history details
Guest Registration Methods
CGX Access supports multiple "registration methods" to support a variety of guest access requirements.
Organizations can use one or more these registration methods, and each type can be customized and
modified to address unique requirements. It would be possible to have a self-registered option that would
provide a single day of access and a sponsor-registered option that would provide a week of access.
Five different registration methods are pre-configured on CGX Access.
• Sponsor registered
o Accounts are created by a sponsor and the credentials are then given to the guest
• Guest registers themselves with Access Code
o Users register themselves using an access code
o Different access codes can be used to control length of time a guest has access, identify
different types of guests
• Event registration
Easy NAC: CGX Access Guide
48
o This type is used when a number of guest users attend an event
o Everyone in the group is given the same access code
o Guests are managed as a group
• Consultant
o By default, users register themselves using a one-time use access code
o A consultant flag is assigned, so that this guest would be given consultant access
• Self-Service Guest Registration
o Portal allows anyone to register for guest access, with no access code required
o If desired, SMS or E-mail can be confirmed
Customizing Device Registration for Guests
• Go to Configuration → Device Registration Methods → Guest Registration Methods
Easy NAC: CGX Access Guide
49
• Click on the Sponsor Registers Guest Account method:
The above shows various fields for the guest registration type. Here administrators can adjust the user
experience, required fields, and account validity. The administrator can also choose to allow the sponsor
to change the length of the default guest access.
A flag can also be set per guest registration type. Setting flags can be used to differentiate types of guests.
For example, the consultant method sets a consultant flag so consultant access is then assigned. For more
details on flags, see the section below titled Flagging.
The same configurations can be applied to the other methods of registration.
Setting up Sponsors
CGX Access can query the Active Directory server to validate permissions for sponsors to access the
management UI. Approved sponsors would only be given access to guest management functionality.
Using the "Active Directory Users and Computers" MMC:
• Add the group “GRM-Sponsor”
Easy NAC: CGX Access Guide
50
Note: upper/lower case is significant when creating AD groups.
Once the GRM-Sponsor AD group has been created, staff can be given sponsor rights (by adding their
userid to the GRM-Sponsor group).
By default, sponsors have the ability to sponsor all types of guest accounts. In order to limit sponsors to
only certain guest types (for example, if the front desk staff is only permitted to create daily visitors),
please follow these steps:
• Go to Configuration → Device Registration Methods
• Verify the types you want the sponsor to be able to administer
• Go to Configuration → Permission Manager and select the GRM-Sponsor Role (or other role you
may have created)
• Select the appropriate Registration Methods the sponsor should be allowed to administer
Easy NAC: CGX Access Guide
51
Sponsoring Users
Creating a “Guest Registers Themselves” Access Code
• A user who has either GRM-Sponsor or CGX-Admin permissions can go to Visibility → Guest
Registration Manager. If a user only has sponsor access, they can log in to the main CGX Access
web GUI and will have limited access to the Sponsor Guest pages.
• Choose “Guest Registers Themselves” from the pick list and click on “Create a Sponsorship”:
• Complete the fields as desired and click “Save”:
To create other types of access codes, follow the process outlined above. When additional
information is needed, the web UI will request them.
Easy NAC: CGX Access Guide
52
Configuring Device Registration
CGX Access supports device registration and is commonly used to support Bring Your Own Device
(BYOD) initiatives. Employee’s or student devices are checked by validating their credentials against
Active Directory. When a new device joins the network, it will be redirected to the captive portal. Staff
would then be able to register the device, and this registration would be valid for days, weeks, or months.
Several configuration options allow administrators to have access control of the BYOD devices.
Administrative options include:
• Which AD groups are allowed to register BYOD devices
• Quantity of BYOD devices allowed per user (by group)
• Type of BYOD devices allowed
• Network access granted
Customizing the Device Registration portal
• Go to Configuration → General Settings and click on “Employee Device Registration”.
• Edit the title and message boxes as desired.
• Opt-in or Opt-out to show Terms of Use
• Click on save to accept any changes to the configuration.
Confirm Active Directory settings
In order to validate AD credentials, the AD server must be configured correctly. To verify settings use the
admin UI.
Easy NAC: CGX Access Guide
53
• Go to Configuration → General Settings.
• Click on Servers:
• Under Active Directory Server, confirm the host or IP address of the AD domain controller and
the Account suffix in the "Account Suffix" field. The @ symbol should proceed the Account
Suffix.
By default, all domain users with valid credentials will be able to register their BYOD devices. It is
possible to limit which groups are allowed to register their devices, and to set different policies for
different groups. The enable granular AD registration, the AD groups must be specified in the CGX
Access server.
• Go to Configuration → General Settings.
• Click on “Names Used by Policies”:
Easy NAC: CGX Access Guide
54
Add the Active Directory groups that would need to register their devices. Groups that are added will
be shown as a configurable option when customizing Device Registration methods.
Customizing Device Registration Methods
• Go to Configuration → Device Registration Methods → Device Registration Methods
There is one default method for employee device registration. To make changes…
• Click on the “Employee Registers Personal Device” registration type:
Easy NAC: CGX Access Guide
55
The above defines various parameters that can be customized for the device registration method. The
default method is configured to apply to all users with valid credentials.
Additional device registration methods can be created for different AD groups to have different
parameters. This can be useful in situations where different length of access, device quantity allowed, or
different information needs to be gathered on the user.
To modify:
• Change the top pulldown box to 'Any of the groups checked'
• Select the AD groups that the template will be applied to:
• Change the parameters for information gathered, access expiration, etc.
• Click 'Save'
• Save and Activate changes.
Easy NAC: CGX Access Guide
56
Note: When you have multiple Device Registration Methods, they are evaluated in order from top down.
Methods can be re-arranged by dragging and dropping them in order they should be evaluated.
User Experience
When a user is connected to the network, the browser will be redirected to a page similar to this:
Users can click on the Employee Device Registration link in order to be presented with a login screen
similar to this:
Easy NAC: CGX Access Guide
57
At this point, the employee will enter their AD credentials. Depending on the configuration they may be
prompted to complete an information form such as Full Name, Organization, Location, etc. After
completion the appropriate access will be assigned.
This device will be remembered by the system based on the timeout specified in the configuration. The
user will not be asked for credentials until the device ages out of the database or the timer for login
requests has expired.
Integration: Anti-Virus \ Endpoint Management
CGX Access supports integration with enterprise AV and endpoint management vendors. By leveraging
the integration at the management server, CGX Access can enforce compliance with security policies,
without the use of agents. Devices out-of-compliance can be restricted and an administrator(s) alerted.
Supported Solutions:
▪ Sophos Enterprise Console - 5.x +
▪ Sophos Central (cloud)
▪ Symantec Endpoint Protection Manager - 12.x and 14.x
▪ Symantec Endpoint Protection Cloud
▪ McAfee ePO - 5.x +
▪ Trend Micro OfficeScan - XG+
▪ Kaspersky Antivirus - 10.x+
▪ ESET Antivirus - 6.5+
▪ Microsoft SCCM \ WSUS – 4.x +
▪ IBM BigFix - 9.x +
▪ Moscii StarCat 2013 and StarCat 10
▪ Carbon Black Cb Response – 6.x +
▪ InfoExpress CyberGatekeeper 9.x +
Easy NAC: CGX Access Guide
58
Sophos Enterprise Console Integration
• In CGX Access admin UI go to Configuration → Integration
• Select the “Sophos Enterprise Console”
CGX Access communicates with the Sophos Enterprise Console by querying the SQL database.
• Setup the SQL Server used by Sophos to support SQL queries over TCP 1433. See below.
• Check “Enable Integration”
• Enter Hostname or IP / database port / database name
• Enter Username / Password to connect to database
• Use "Test connection" button to validate settings → Save changes
Sophos SQL Prerequisites:
• Configure the MS SQL Server on the Sophos server to enable TCP/IP and specify a port such as
1433
• Install and use MS SQL Server management studio to create an account with permission to read
the Sophos DB
• Sophos uses different schemas. Check which schema/database name Sophos is using: Examples
include: SOPHOS540 (Sophos EP 5.4), or SOPHOS521 (Sophos EP 5.2)
• Configure the firewall on the Sophos server to allow CGX Access to communicate with the MS
SQL Server port: 1433
Easy NAC: CGX Access Guide
59
Tip: It may be helpful to Google, “how to enable remote connections on SQL version…” referencing
the specific version used by your Sophos Server.
Setting and Enforcing Anti-Virus Compliance Policies
Once the communications between the CGX Access appliance and Sophos SQL server have been
successfully tested, policies can be set to enforce compliance with AV policies.
Select the flags that should be assigned to devices that meet or fail the specific conditions.
There are several conditions you can select to monitor. When selected CGX Access will set flags on
specific devices that meet or fail the conditions. Using Device & Role Classification policies, devices
with specific flags can be assigned different roles.
The example above shows a device will be assigned a non-compliant role if it has been flagged as AV-off,
AV-stale, AV-out-of-date or infected. The placements of the rules are important and are evaluated top-
down. The first rule that applies, take precedence.
Easy NAC: CGX Access Guide
60
Tip: The AV-managed flag is helpful in expediting deployments. Any device that is being managed by
the corporate AV server can automatically be granted access to the network.
McAfee ePolicy Orchestrator Integration
• In CGX Access admin UI go to Configuration → Integration
• Select the “McAfee ePolicy Orchestrator”
CGX Access communicates with the ePolicy Orchestrator by querying its SQL database.
• Setup the SQL Server used by ePO to support SQL queries over TCP 1433; See below.
• Check “Enable Integration”
• Enter Hostname or IP / database port / database name
• Enter Username / Password to connect to database
• Use "Test connection" button to validate settings → Save changes
ePO SQL Prerequisites:
• Configure the MS SQL Server on the ePO server to enable TCP/IP and specify a port such as 1433
• Configure the firewall on the ePO server to allow CGX Access to communicate with the MS SQL
Server port: 1433
Tip: It may be helpful to Google, “how to enable remote connections on SQL version…” referencing
the specific version used by your ePO Server.
Setting and Enforcing Anti-Virus Compliance Policies
Easy NAC: CGX Access Guide
61
Once the communications between the CGX Access appliance and ePO SQL server have been
successfully tested, policies can be set to enforce compliance with AV policies.
Select the flags that should be assigned to devices that meet or fail the specific conditions.
There are four conditions you can select to monitor. When selected CGX Access will set flags on specific
devices that meet or fail the conditions.
Using Device & Role Classification policies, devices with specific flags can be assigned different roles.
Easy NAC: CGX Access Guide
62
The example above shows a device will be assigned a non-compliant role if it has been flagged as AV-off,
AV-stale or AV-out-of-date. The placements of the rules are important and are evaluated top-down. The
first rule that applies, take precedence.
Tip: The AV-managed flag is helpful in expediting deployments. Any device that is being managed by
the corporate AV server can automatically be granted access to the network.
Symantec Endpoint Protection Manager - 12.x
• In CGX Access admin UI go to Configuration → Integration
• Click on "Symantec Endpoint Protection Manager"
• Check “Enable Integration”
• Enter Hostname or IP / port
• Click on "Create Web Service Application" button (a new web-browser window will open)
Easy NAC: CGX Access Guide
63
• Enter Username / Password to login to SEPM
• In left hand pane click on "Add an application"
Easy NAC: CGX Access Guide
64
• Enter Name of application and click on “Add” button (this will generate client-id and client-secret)
• Enter these credentials in CGX configuration page and click on "Create Access and Refresh
Token" button.
Easy NAC: CGX Access Guide
65
• Click on "Authorize" button to authorize this application and generate tokens.
Easy NAC: CGX Access Guide
66
• These values will automatically get populated in CGX Access configuration page.
Easy NAC: CGX Access Guide
67
• Use "Test connection" button to validate settings
• You may leave Query interval and flagging conditions as default or modify as required
• Save this configuration
Tip: The AV-managed flag is helpful in expediting deployments. Any device that is being managed by
the corporate AV server can automatically be granted access to the network.
Easy NAC: CGX Access Guide
68
Symantec Endpoint Protection Manager - 14.x
• In CGX Access admin UI go to Configuration → Integration
• Click on "Symantec Endpoint Protection Manager"
• Check “Enable Integration” and select 14.x
• Enter Hostname or IP / port
• Enter Username / Password to login to SEPM
Easy NAC: CGX Access Guide
69
• Use "Test connection" button to validate settings
• You may leave Query interval and flagging conditions as default or modify as required
• Save this configuration
Tip: The AV-managed flag is helpful in expediting deployments. Any device that is being managed by
the corporate AV server can automatically be granted access to the network.
Easy NAC: CGX Access Guide
70
Trend Micro OfficeScan Integration
• In CGX Access admin UI go to Configuration → Integration
• Select the “Trend Micro OfficeScan”
CGX Access communicates with the Trend Micro Office Scan by querying the SQL database used by
OSCE.
• Setup the SQL Server used by OCSE to support SQL queries over TCP 1433. See prerequisites
below.
• Check “Enable Integration”
• Enter Hostname or IP / database port / database name
• Enter Username / Password to connect to database
• Use "Test connection" button to validate settings
• Save changes
OCSE SQL Prerequisites:
• By default, OCSE uses an internal database, called Codebase. For integration with CGX Access, it
is required to use an SQL database. Trend Micro provides a migration tool to make this easy:
https://success.trendmicro.com/solution/1059973-migrating-officescan-osce-server-database-to-
an-sql-server
• Verify the MS SQL Server on the OCSE server was enabled for TCP/IP and specify a port such as
1433.
• Configure the firewall on the OCSE server to allow CGX Access to communicate with the MS
SQL Server port: 1433
Easy NAC: CGX Access Guide
71
Tip: It may be helpful to Google, “how to enable remote connections on SQL version…” referencing
the specific version used by your OCSE Server.
Setting and Enforcing Anti-Virus Compliance Policies
Once the communications between the CGX Access appliance and OSCE SQL server have been
successfully tested, policies can be set to enforce compliance with AV policies.
Select the flags that should be assigned to devices that meet or fail the specific conditions.
There are three conditions you can select to monitor. When selected CGX Access will set flags on specific
devices that meet or fail the conditions.
Using Device & Role Classification policies, devices with specific flags can be assigned different roles.
Easy NAC: CGX Access Guide
72
The example above shows a device will be assigned a non-compliant role if it has been flagged as AV-off,
AV-stale or AV-out-of-date. The placements of the rules are important and are evaluated top-down. The
first rule that applies, take precedence. If none of the three flags has been set, but the AV-managed flag
has been, then the device will be assigned the Full Access role.
Tip: The AV-managed flag is helpful in expediting deployments. Any device that is being managed by
the corporate AV server can automatically be granted access to the network.
Easy NAC: CGX Access Guide
73
Kaspersky Antivirus Integration
• In CGX Access admin UI go to Configuration → Integration
• Select the “Kaspersky Antivirus”
CGX Access communicates with the Kaspersky Administration Server by querying the SQL database.
• Setup the SQL Server used by Kaspersky to support SQL queries over TCP 1433. See
prerequisites below.
• Check “Enable Integration”
• Enter Hostname or IP / database port / database name
• Enter Username / Password to connect to database
• Use "Test connection" button to validate settings → Save changes
Kaspersky SQL Prerequisites:
• Configure the MS SQL Server on the Administration Server to enable TCP/IP and specify a port
such as 1433
• Use MS SQL Server management studio to create an account with permission to read the KAV
database. KAV is the default database name used by Kaspersky.
• Configure the firewall on the Kaspersky Administration Server to allow CGX Access to
communicate with the MS SQL Server port: 1433
Easy NAC: CGX Access Guide
74
Tip: It may be helpful to Google, “how to enable remote connections on SQL version…” referencing
the specific version used by your Kaspersky AV Server.
Setting and Enforcing Anti-Virus Compliance Policies
Once the communications between the CGX Access appliance and Kaspersky Administration Server have
been successfully tested, policies can be set to enforce compliance with AV policies.
Select the flags that should be assigned to devices that meet or fail the specific conditions.
There are several conditions you can select to monitor. When selected CGX Access will set flags on
specific devices that meet or fail the conditions.
Using Device & Role Classification policies, devices with specific flags can be assigned different roles.
Easy NAC: CGX Access Guide
75
The example above shows a device will be assigned a non-compliant role if it has been flagged as AV-off,
AV-stale, or AV-out-of-date. The placements of the rules are important and are evaluated top-down. The
first rule that applies, take precedence. If none of the four flags has been set, but the AV-managed flag
has been, then the device will be assigned the Full Access role.
Tip: The AV-managed flag is helpful in expediting deployments. Any device that is being managed by
the corporate AV server can automatically be granted access to the network.
Easy NAC: CGX Access Guide
76
Microsoft SCCM \ WSUS Integration
CGX Access communicates with the WSUS server by querying the SQL database. By default, WSUS
uses the Windows Internal Database, so it may be necessary to first update the WSUS server to use SQL.
See WSUS SQL prerequisites below.
• In CGX Access admin UI go to Configuration → Integration
• Select the “Microsoft WSUS”
• Check “Enable Integration”
• Enter Hostname or IP / database port / database name
• Enter Username / Password to connect to database
• Use "Test connection" button to validate settings
• Save changes
WSUS SQL Prerequisites:
• By default, WSUS uses the Windows Internal Database. For integration with CGX Access, it is
required to use an SQL database.
• Verify the MS SQL Server on the WSUS server was enabled for TCP/IP and specify a port such
as 1433.
• Configure the firewall on the WSUS server to allow CGX Access to communicate with the MS
SQL Server port: 1433
Easy NAC: CGX Access Guide
77
Tip: It may be helpful to Google, “how to enable remote connections on SQL version…” referencing
the specific version used by your WSUS Server.
Setting and Enforcing Patch Compliance Policies
Once the communications between the CGX Access appliance and WSUS server have been successfully
tested, policies can be set to enforce compliance with patch policies.
Select the flags that should be assigned to devices that meet or fail the specific conditions.
There are four conditions you can select to monitor. When selected CGX Access will set flags on specific
devices that meet or fail the conditions.
Using Device & Role Classification policies, devices with specific flags can be assigned different roles.
Easy NAC: CGX Access Guide
78
The policy above shows a device will be assigned a non-compliant role if it has been flagged as patch-
pending or patch-failed. The order of the rules is important, as they are evaluated is descending order.
Tip: The patch-managed flag is helpful in expediting deployments. Any device that is being managed by
the WSUS server can automatically be granted access to the network.
Easy NAC: CGX Access Guide
79
IBM BigFix Integration
In CGX Access admin UI go to Configuration → Integration
• Select “IBM BigFix”
• Check “Enable Integration”
• Enter Hostname or IP / database port / database name
• Enter Username / Password to connect to database
• Use "Test connection" button to validate settings
• Save changes
BigFix SQL Prerequisites:
• Verify the MS SQL Server on the BigFix server was enabled for TCP/IP and specify a port such
as 1433.
• Use MS SQL Server management studio to create an account with permission to read the
BFEnterprise database. BFEnterprise is the default database name used by BigFix.
• Configure the firewall on the BigFix server to allow CGX Access to communicate with the MS
SQL Server port: 1433
Tip: It may be helpful to Google, “how to enable remote connections on SQL version…” referencing
the specific version used by your BigFix Server.
Easy NAC: CGX Access Guide
80
Setting and Enforcing Patch Compliance Policies
Once the communications between the CGX Access appliance and BigFix server have been successfully
tested, policies can be set to enforce compliance with patch policies.
Select the flags that should be assigned to devices that meet or fail the specific conditions.
There are four conditions you can select to monitor. When selected CGX Access will set flags on specific
devices that meet or fail the conditions.
Using Device & Role Classification policies, devices with specific flags can be assigned different roles.
Easy NAC: CGX Access Guide
81
The policy above shows a device will be assigned a non-compliant role if it has been flagged as patch-
pending or patch-failed. The order of the rules is important, as they are evaluated is descending order.
Tip: The patch-managed flag is helpful in expediting deployments. Any device that is being managed by
the BigFix server can automatically be granted access to the network.
Moscii StarCat Integration
In CGX Access admin UI go to Configuration → Integration
• Select “Moscii StarCat”
• Check “Enable Integration”
• Enter Hostname or IP / database port / database name
• Enter Username / Password to connect to database
• Use "Test connection" button to validate settings
• Save changes
StarCat SQL Prerequisites:
• Verify the MS SQL Server on the StarCat server was enabled for TCP/IP and specify a port such
as 1433.
• Use MS SQL Server management studio to create an account with permission to read the StarCat
database. StarCat 2013 doesn’t use a default database name, so check the SQL server for the
correct name.
Easy NAC: CGX Access Guide
82
• Configure the firewall on the StarCat server to allow CGX Access to communicate with the MS
SQL Server port: 1433
Tip: It may be helpful to Google, “how to enable remote connections on SQL version…” referencing
the specific version used by your StarCat server.
Setting and Enforcing Compliance Policies
Once the communications between the CGX Access appliance and StarCat server have been successfully
tested, policies can be set to enforce all Windows devices have been installed with the StarCat agent and
connecting to the server regularly.
Select the flags that should be assigned to devices that meet or fail the specific conditions.
When selected CGX Access will set flags and automatically grant access to devices being managed by
StarCat. While devices that have not connected in the past x days can be flagged as a stale-device.
Using Device & Role Classification policies, devices with specific flags can be assigned different roles.
Easy NAC: CGX Access Guide
83
The policy above shows a device will be assigned full-access if flagged as managed-device. However, it
would be given a non-compliant role if it has been flagged as a stale-device. The order of the rules are
important, as they are evaluated is descending order.
Tip: The managed-device flag is helpful in expediting deployments. Any device that is being managed by
the StarCat server can automatically be granted access to the network.
Easy NAC: CGX Access Guide
84
Carbon Black Cb Response Integration
• In CGX Access admin UI go to Configuration → Integration
• Click on "Carcon Black Cb Response"
• Check “Enable Integration”
• Enter Hostname or IP / port
• In Cb Response console go to Admin→ My Profile → API Token
Easy NAC: CGX Access Guide
85
• Copy API Token and Paste into Token field
• Use "Test connection" button to validate settings and connectivity
Easy NAC: CGX Access Guide
86
Setting and Enforcing Compliance Policies
Once the communications between the CGX Access appliance and Cb Response server have been
successfully tested, policies can be set to enforce endpoint devices have been installed with the Cb
Response agent and connecting to the server regularly.
Select the flags that should be assigned to devices that meet or fail the specific conditions.
Easy NAC: CGX Access Guide
87
When selected CGX Access will set flags and automatically grant access to devices being protected by Cb
Response. While devices that have not connected in the past x days can be flagged as a stale-device.
Using Device & Role Classification policies, devices with specific flags can be assigned different roles.
The policy above shows a device will be assigned full-access if flagged as managed-device. However, it
would be given a non-compliant role if it has been flagged as a stale-device. The order of the rules are
important, as they are evaluated is descending order.
Tip: The managed-device flag is helpful in expediting deployments. Any device that is being protected by
the Carbon Black will automatically be granted access to the network.
Easy NAC: CGX Access Guide
88
Automated Threat Response with Syslog
Firewalls, APT solutions, and other security solutions that are designed to monitor devices and network
traffic can send event-based alerts for administrative action. CGX Access can receive event-based syslog
messages from all types for security devices and take immediate action when necessary. If CGX Access
receives an alert that a device has malware or misbehaving, we can restrict it immediately.
Any solution that can send event-based syslog messages can be configured to work with CGX Access.
• In CGX Access admin UI go to Configuration → Integration
• Click on "Automated Threat Response - Syslog”
From this screen, an Event can be enabled. The event source IP is the IP address of the security appliance
that is sending the syslog message to CGX Access. Multiple IP addresses or IP ranges can be entered.
Easy NAC: CGX Access Guide
89
Syslog Event Creation
CGX Access can work with any solution (Firewall, APT, IPS, SIEM, etc.) that can send event-driven
syslog messages. To create new Events
• In CGX Access admin UI go to Policies → Device Events
• Click on "New Event”
• Select “Device event from syslog”
This dialog box defines how a device event can be triggered from a syslog. If the search pattern is found,
this event is triggered for the IP found in the syslog message. To set up an event four sections must be
configured
Event Name
Give this event a name that explains which device is sending the syslog and what is looking for.
Easy NAC: CGX Access Guide
90
Search syslogs for
The system will search for Syslog messages that match the keywords specified here. For example:
"ID=attack detected". Regular expressions can be used but don't include "/" at the beginning and the end.
Type of Information Extracted
Select whether the syslog message should be scanned for an IP address or Hostname.
If using IP: The system will extract the IP address of the offending endpoint using the predefined macro:
(%IP) for the IP address's position. For example, we will specify: "SRC=(%IP)" if the IP value can be
found after SRC:=..."
If using Hostname: The system will extract the hostname of the offending endpoint using after a keyword.
For example, hostname:
Flag the Device as
Choose a flag that should be assigned to the offending device if the event is triggered. Using Device
Classification policy, the device can then be automatically quarantined.
Custom flags names can be created under Configuration → General Settings → Names Used by Policies
Easy NAC: CGX Access Guide
91
Automated Threat Response - Email Alerts
CGX Access can receive e-mail messages from all types for security devices and take immediate action
when necessary. If CGX Access receives an email alert that a device has malware or is misbehaving, we
can restrict it immediately.
Any solution that can send email messages can be configured to work with CGX Access.
• Verify an inbound e-mail server has been configured – See Page 14
• In CGX Access admin UI go to Configuration → Integration
• Click on "Automated Threat Response - Email”
• From this screen, an Event can be enabled.
• To limited which e-mail addresses are allow to send an e-mail alert to the CGX Access appliance,
specify the approved e-mails in the Sender’s Address section. When blank all addresses are
allowed.
• The Query interval specifies how often CGX Access checks the mail server for new e-mail alerts.
Easy NAC: CGX Access Guide
92
Email Event Creation
CGX Access can work with any solution (Firewall, APT, IPS, SIEM, etc.) that can send e-mail messages.
To create new Events
• In CGX Access admin UI go to Policies → Device Events
• Click on "New Event”
• Select “Device event from an email alert”
This dialog box defines how a device event can be triggered from an e-mail. If the search pattern is found,
this event is triggered for the IP or hostname found in the e-mail message. To set up an event four sections
must be configured
Event Name
Give this event a name that explains which device is sending the e-mail and why.
Easy NAC: CGX Access Guide
93
Search email alerts for
The system will search the email messages for keywords specified here. For example: "Virus/Spyware".
Regular expressions can be used but don't include "/" at the beginning and the end.
Type of Information Extracted
Select whether the email message should be read for an IP address or Hostname.
If using Hostname: The system will extract the hostname after reading a keyword. For example, if
Machine: is specified as the keyword, any name following it will be assumed as the hostname.
If using IP: The system will extract the IP address of the offending endpoint using the predefined macro:
(%IP) for the IP address's position. For example, we will specify: "SRC=(%IP)" if the IP value follows
after SRC:=.
Flag the Device as
Choose a flag that should be assigned to the offending device if the event is triggered. Using Device
Classification policy, the device can then be automatically quarantined.
Custom flags names can be created under Configuration → General Settings → Names Used by Policies
Easy NAC: CGX Access Guide
94
Advanced Configuration Options
Administration Permissions
CGX Access can query the Active Directory server to validate permissions for administrators to access
the management GUI. CGX Access uses management accounts stored in Active Directory. Different
levels of access are given to admin users based on their AD group membership.
Administrator roles
Initially there are three roles for administrators configured on a CGX Access: CGX-Admin, CGX-
AdminRO and GRM-Sponsor. “CGX-Admin” is a default role that cannot be modified. It has full
privileges. "CGX-AdminRO" is the one shown below, and can be used for limited administrative
privileges. GRM-Sponsor is a group allowed to sponsor guest access. Each permission role can be
configured with different access rights. Permission roles may be deleted or added.
Roles correspond to groups defined in Active Directory, i.e. the administrative user uses their Active
Directory credentials to authenticate and is given access based on the group they are a member of in
Active Directory. In order for an Active Directory user to be placed into the CGX-Admin role on the
CGX Access, the user must be member of an AD group of the same name.
• Go to Configuration → Permission Manager
These roles correspond to groups in Active Directory.
Easy NAC: CGX Access Guide
95
Create CGX Access admin groups in Active directory
Using the "Active Directory Users and Computers" MMC:
• Add the groups CGX-Admin, CGX-AdminRO and GRM-Sponsor. Please note that upper/lower
case is significant when creating these groups.
• As a minimum add one account (your own) to the CGX-Admin group
If you create a new account make sure it's not set with "User must change password at next logon" as that
will prevent the account from being used on the CGX Access until the user changes the password.
Test AD connection
• Log out of the CGX Access admin GUI
• Log in with your AD domain account
Easy NAC: CGX Access Guide
96
If you can authenticate using your AD credentials then the CGX Access is successfully communicating
with the AD domain. If your AD credentials do not work double check that the address of the LDAP
server and the account suffix was entered correctly. Also double check that the changes/additions you
made to AD groups have been synchronized to the DC that the CGX Access is connecting to (i.e. the host
or IP entered).
Customizing Landing Pages
CGX Access provides customization in two ways. Text fields can be edited through the main
configuration interface (see Configuration → General Settings). The styles of the landing pages by
modifying the CSS (cascading style sheet). Steps to create such a CSS can be found below.
CSS files govern the look and feel of the landing pages only. The GRM theme (landing page theme) is
generated from LESS source files (see: http://lesscss.org for additional info on LESS).
Obtain a LESS editing program
LESS files are text-based files and any text editor can be used. "Crunch" (www.cruchapp.net) is
recommended, as it includes a CSS compiler for LESS files. Other options, such as "Sublime"
(www.sublimetext.com) + less2css plugin and an accompanying compiler can be used as well.
Download LESS files
A basic set of LESS files can be obtained from Infoexpress support. It will contain a base set of LESS
files which can be compiled into a main.css and accompanying image files (see below)
Edit .less files as desired
After downloading and decompressing the less files, open them in the editor and make changes as desired.
Below are some locations of parameters that can be changed
File Description
main.less Main file that links to sub-files with additional settings
variables.less This file contains many of the default colors and images used
header.less Contains settings for the top part of the pages
footer.less Settings for the bottom of pages
button.less Settings for buttons
mobile.less Settings for pages in a small browser
Settings for individual pages can be found in the /page directory.
"Crunch" (compile) main.css files
Easy NAC: CGX Access Guide
97
When satisfied with the changes made, the main.less file should be compiled (it will invoke all the other
files specified). The output file should be called main.css
Note: The compiler may place the main.css file in the same directory as the .less files.
Upload CSS and images to CGX Access
When done, the main.css file, as well as the images directory should be uploaded to the CGX Access
through FTP using the cguser account. Below is the directory structure that should be present on the CGX
Access
Path Contents
/updates /grm-theme /css contains the main.css file
/images contains the images referenced by the css file
Only the main.css file and images are needed on the CGX Access, The .less files do not need to be
uploaded
After uploading the files, the CGX Access will automatically pull these files and update the landing
pages. No further commands are needed to update the pages. Please allow a few seconds for this
action to complete.
Easy NAC: CGX Access Guide
98
Central Visibility Manager
CVM Overview
It’s common for customers to deploy multiple CGX Access appliances in multiple offices or for
scalability in larger networks. In these scenarios where more than one CGX Access appliance or Mini-
Enforcers are deployed it is beneficial to use the Central Visibility Manager (CVM) for an organization-
wide visibility and management of these appliances.
The Central Visibility Manager doesn’t perform monitoring and enforcement actions itself, so it used to
consolidate the management of multiple appliances.
Configuring a Central Visibility Manager
The Central Visibility Manager uses the same virtual appliance image as the normal CGX Access
appliance, so the initial setup will be similar to setting up a CGX Access appliance.
Note: The CVM is licensed separately, and has a unique CVM license required to operate.
Easy NAC: CGX Access Guide
99
Basic IP configuration
• For physical appliances either plug in a keyboard and HDMI monitor or attach 9 pin serial cable to
the serial console port and power on the physical appliance.
• For virtual appliances open a console window and power on the VM.
Once the boot cycle is complete you will be prompted for a login.
• Login as admin/admin.
• From the main menu choose 1 (Run setup wizard) and follow the prompts to set the Managed IP
address and netmask, the default gateway, DNS servers, system name, time zone and date/time.
Note: Keep the admin password in a safe place. If it is lost without having access to an alternate admin
level account there will be no way to recover the password.
Default user accounts are:
• admin - used for initial setup and configuration as well as SSH access for maintenance tasks
• cguser - used for uploading files through ftp
The default passwords are the same as the user name
When the setup wizard completes, the system should be accessible on the network.
• Confirm that you can ping the management IP from another system on the same subnet and also
from a system on another subnet. If the pings do not succeed double check the physical or virtual
connections and the basic IP configuration
• Connect to the CGX Access web GUI by opening https://<Managed ip> (that was configured
previously)
Easy NAC: CGX Access Guide
100
Login as user admin (default password admin). A modern browser such as Chrome is strongly
recommended. Older versions of IE or Firefox may not display the pages correctly.
Using the web GUI additional setting can be configure:
• (Optional) Active Directory server settings (used for Permission Management)
• (Optional) E-mail & SMS server settings (used for alerting)
• (Required) Add license for Central Visibility Manager
1. In CGX Access admin UI go to Configuration → License Manager
2. Click on "New License”
3. Paste the key into the space provided and apply
The License Manager will show the maximum number of GX Access appliances that CVM can manage.
If using a Distributed license, you will also see the number of devices that can be managed, and the
current allocation of the license. With the distributed license customer can allocate the license across
different appliances, as shown below.
Once the initial configuration is done the new server can be switched to a Central Visibility Server.
• In CGX Access admin UI go to Configuration → Appliance Settings
• Scroll down to Site Settings and change "CGX Access Server Mode" from Standalone Server to
Central Visibility Manager
Easy NAC: CGX Access Guide
101
• Set both the Site name and an account for Inter-CGX Access communication.
◦ If left blank the site name will be the default of Central Visibility Manager
◦ Site Name should only consist of the characters A-Z, a-z, 0-9, and _
◦ The username and password credentials are only used to secure Inter-CGX traffic. They do
not need to correspond to any actual account.
• Click submit. You will be logged out of CGX-Access and the changes will take effect.
Easy NAC: CGX Access Guide
102
Configuring a Remote CGX Access Appliance
Once a Central Visibility Manager has been configured, new or existing standalone CGX Access
appliances can be configured to be manageable from CVM.
If the Remote Server will be a new deployment and not a conversion of an existing Standalone Server,
first perform an Initial Configuration as covered on Page 9. At a minimum, the Remote Server should
have:
• Have a primary IP address assigned
• Have a Host name
• Have a DNS server
Once the server has a basic configuration it can be switched to a Remote Server:
• In CGX Access admin UI go to Configuration → Appliance Settings
• Scroll down to Site Settings and change "CGX Access Server Mode" from Standalone Server to
Remote Server
• Set the Site name, Central Visibility Manager IP Address, and the account for Inter-CGX Access
communication.
◦ Site Name should only consist of the characters A-Z, a-z, 0-9, and _
◦ The username and password credentials must be the same as those set on the Central Visibility
Management Server.
◦
• Click submit. You will be logged out of CGX-Access and the changes will take effect.
• Within two minutes endpoint state should be replicated to the Central Visibility Management
Server.
Easy NAC: CGX Access Guide
103
Deployment Manager
The Central Visibility Manager includes a Deployment Manager that is used to accelerate deployments or
configuration changes among different CGX Access appliances.
• In CVM admin UI go to Configuration → Deployment Manager
• Create a Deployment Set
1. Specify a name
2. Select the Source appliance to copy the settings from
3. Choose which settings to include in the Deployment set
4. Click Save
• Push a Deployment Set
1. Select a Deployment Set
2. Select the location(s) to push to
3. Click Push
Easy NAC: CGX Access Guide
104
4. Confirm the Push
Easy NAC: CGX Access Guide
105
Maintenance and Support
Upgrading firmware
Firmware updates may be provided by InfoExpress to upgrade the CGX Access with new functionalities
or fix existing issues. A binary update file (BIN file) will be provided with a checksum and file size. An
example of the BIN file may be CGX-Access-2.3.190301.BIN, with a checksum of 1067271049 and file
size of 195473389.
Upgrading the firmware of the CGX Access can be done via the web interface
• In CGX Access GUI, go to Configuration → Appliance Settings
• Scroll down to Server Maintenance → Software Update
• Browse to location of file and upload the image
• Once uploaded, complete checksum: and file size: then Submit
The CGX Access will warn of loss of connectivity, and then may ask for a reboot. Connectivity will be
lost and you will have to reconnect if an SSH session was used. Allow ~5 minutes for upgrade to occur.
End of Document
Top Related